Professional Documents
Culture Documents
Mobile App Reverse Engineering Get Started With Discovering, Analyzing, and Exploring The Internals of Android and iOS Apps (Abhinav Mishra) (Z-Library)
Mobile App Reverse Engineering Get Started With Discovering, Analyzing, and Exploring The Internals of Android and iOS Apps (Abhinav Mishra) (Z-Library)
Engineering
Abhinav Mishra
BIRMINGHAM—MUMBAI
Mobile App Reverse Engineering
Copyright © 2022 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or
transmitted in any form or by any means, without the prior written permission of the publisher,
except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the
information presented. However, the information contained in this book is sold without warranty,
either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors,
will be held liable for any damages caused or alleged to have been caused directly or indirectly by
this book.
Packt Publishing has endeavored to provide trademark information about all of the companies
and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing
cannot guarantee the accuracy of this information.
978-1-80107-339-4
www.packt.com
Dedicated to the late Rajendra Singh, a passionate teacher, accomplished
author, and learner who inspired many, like me, to seek knowledge above
everything else. To my wife, Kanika Singh, for being the support I have
always needed. And to my mother and father, for being role models to me
and for motivating me.
Contributors
About the author
Abhinav Mishra is the founder and director of Enciphers, a cybersecurity consulting
and training company. Abhinav has over a decade of extensive experience in finding and
fixing security issues in web, mobile, and infrastructure applications. He has performed
penetration tests on more than 500 mobile applications and has discovered thousands of
critical vulnerabilities.
Abhinav completed his engineering degree in 2011 and since then has been involved
in penetration testing and securing applications and infrastructure. Prior to founding
Enciphers, Abhinav worked with Fortune 500 and giant tech companies as part of their
security teams. In his spare time, he is a traveler, adventure seeker, and drone hobbyist.
I would like to thank Manoj Jain, a skilled Android developer with almost
a decade of experience, and Mohammad Haroon, who is a passionate iOS
developer with 12+ years of experience in developing Swift/Objective and
C/C++/C apps. Both of them assisted in developing the SecureStorage app,
used in the book. Their contribution to this book is highly appreciated.
About the reviewer
Anant Shrivastava is the founder of a research firm named Cyfinoid Research. His last
job was as a technical director for NotSoSecure Global Services. He has been active in
the Android security field since the early days of Android development (2011). He has
been a trainer and speaker at various international conferences (Black Hat – USA, Asia,
EU, Nullcon, c0c0n, and many more). Anant also leads the open source projects Android
Tamer and Code Vigilant. He also maintains the archive portal named Hacking Archives
of India. In his spare time, he likes to take part in open communities geared to spreading
information security knowledge, including the null community, Garage4hackers, Hasgeek,
and OWASP.
I truly believe all of us in the technical world are standing on the shoulders
of giants. The giants for me are the open communities, such as null,
Garage4hackers, Hasgeek, and OWASP, where access to information is
unrestricted and people are interested in helping one another. I am deeply
indebted to all the communities and the people running these communities.
I am also thankful to my whole family for providing all the support and
tolerating my busy schedule and still standing by my side. I would also like
to do a special shout-out to my son, Aarush, whose smile gives me a reason
to keep going.
Table of Contents
Preface
2
Setting Up a Mobile App Reverse Engineering Environment
Using Modern Tools
Technical requirements 22 smali/baksmali29
Tools for the reverse strings30
engineering of mobile Ghidra31
applications23 Radare33
apktool25 Mobexler virtual machine 34
JADX – Dex-to-Java decompiler 27 Summary36
viii Table of Contents
4
Reverse Engineering an iOS Application
Technical requirements 64 Disassembling the application binary 71
iOS app development 64 Manually reviewing the disassembled
binary for security issues 81
Understanding the binary
Using Mac-only tools for iOS app
format 65 reverse engineering 85
Reverse engineering an iOS app 66
Extracting strings from the binary 69 Summary 86
5
Reverse Engineering an iOS Application
(Developed Using Swift)
Technical requirements 88 Reverse engineering a Swift
Understanding the difference application95
between Objective C and Swift Installing the Radare2 framework 96
applications 88 Using the Radare2 framework to
The difference between Objective C reverse engineer a Swift application 97
and Swift from a reverse engineering
Summary109
perspective92
Table of Contents ix
7
Automating the Reverse Engineering Process
Technical requirements 124 Case study one – automating
Automated static analysis of reverse engineering tasks 131
mobile applications 124 Case study two – automating
MobSF125 test cases to find
Performing a static scan on security issues 132
SecureStorage129 Summary134
8
Conclusion
Excelling in Android application Utilizing reverse engineering
reverse engineering – the skills 137
way forward 136 Exposing unreleased features in
Excelling in iOS application an application through reverse
reverse engineering – the engineering 138
way forward 136 Summary 138
Index
Other Books You May Enjoy
Preface
Mobile application reverse engineering is an important skill for penetration testers,
malware analysts, and application security professionals in general. This book talks
about how Android and iOS applications are developed, how to reverse engineer them,
different case studies of security issues discovered through reverse engineering, and how
to automate the reverse engineering and analysis part.
The book helps in understanding the internals of modern Android and iOS apps and how
you can reverse engineer application packages (APK and IPA). Here, you can start your
journey of creating a reverse engineering mobile application.
Chapter 4, Reverse Engineering an iOS Application, discusses how iOS apps are developed,
understanding the iOS executable format, exploring more iOS app reverse engineering
tools and their usage, and finally, reverse engineering an iOS application package.
Chapter 5, Reverse Engineering an iOS Application (Developed Using Swift), details the
difference between Objective-C and Swift applications from a developer's perspective
and also explains the process of reverse engineering a Swift application using the Radare2
reverse engineering tool.
Chapter 6, Open Source and Commercial Reverse Engineering Tools, discusses some
common open source as well as commercial (closed source) tools for reverse engineering,
together with real-world case studies for reverse engineering and the required capabilities
in a reverse engineering tool.
Chapter 7, Automating the Reverse Engineering Process, explains when it might be a good
idea to automate some parts of reverse engineering, and how to do that. This chapter
also looks at some case studies to explain how automation can be performed for some
test cases.
Chapter 8, Conclusion, talks about what to do next, and what other skills might be good to
learn if you want to continue this journey of reverse engineering.
Conventions used
There are a number of text conventions used throughout this book.
Code in text: This indicates code words in text, database table names, folder names,
filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles.
Here is an example: "To analyze the function in visual mode or a more visual presentation,
we can use the visual mode, using the VV command."
A block of code is set as follows:
# ./ghidraRun
Bold: This indicates a new term, an important word, or words that you see onscreen – for
example, words in menus or dialog boxes appear in the text like this. Here is an example:
"This will open the Ghidra project window. We can choose the Tools | CodeBrowser
option to open the code browser utility."
Disclaimer
The information within this book is intended to be used only in an ethical manner. Do
not use any information from the book if you do not have written permission from the
owner of the equipment. If you perform illegal actions, you are likely to be arrested and
prosecuted to the full extent of the law. Neither Packt Publishing nor the author of this book
takes any responsibility if you misuse any of the information contained within the book.
The information herein must only be used while testing environments with proper written
authorization from the appropriate persons responsible.
Get in touch
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, mention the book
title in the subject of your message and email us at customercare@packtpub.com.
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes
do happen. If you have found a mistake in this book, we would be grateful if you would
report this to us. Please visit www.packtpub.com/support/errata, selecting your
book, clicking on the Errata Submission Form link, and entering the details.
Piracy: If you come across any illegal copies of our works in any form on the internet,
we would be grateful if you would provide us with the location address or website name.
Please contact us at copyright@packt.com with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in
and you are interested in either writing or contributing to a book, please visit authors.
packtpub.com.
Preface xv
This section explains from scratch the reverse engineering fundamentals, terminologies,
the tools used, and setting up an environment using these tools. The chapters will also
explain some basic uses for those tools and the structure of mobile apps.
This part of the book comprises the following chapters:
A mobile application penetration tester tests the security of mobile applications in order
to find vulnerabilities. To find the vulnerabilities, the tester is required to understand
the internal working and logics of the application. These details can be found in the
source code of the application. However, the penetration testers do not always have the
source code to hand, as in the case of a black-box penetration test. During a black-box
penetration test, all that the penetration tester has is the application package, that is, the
Android Application Package (APK) or iOS App Store Package (IPA) file. In such a
case, to understand the working of the app, they need to unpack the application package
and get the source code.
Reverse engineering is the technique of dismantling an object to study its internal
designs, code, logic, and so on. Reverse engineering mobile applications is the process of
disassembling/dismantling an app to reveal its code and internal logic, components,
and so on.
In this chapter, we're going to cover the following main topics:
We will learn about the basics of reverse engineering and how mobile applications are
built. These fundamentals are important to understand before we can jump into the actual
task of reverse engineering modern apps.
Technical requirements
Android Studio and Xcode are required to complete the relevant hands-on exercises.
Xcode is Apple's integrated development environment (IDE) for macOS, used to
develop software for macOS, iOS, iPadOS, watchOS, and tvOS. Android Studio is the
official IDE for Google's Android operating system. An Apple laptop/desktop (Mac) can
install and run both Xcode and Android Studio, whereas other laptops/desktops running
Windows or Linux will only be able to support Android Studio.
For more information, please refer to the following links:
Fun Fact
Rename the file extension of an APK to .zip and use unzip to open. You will
be able to see its contents.
• lib: This contains the compiled code that is specific to a selection of processors, as
follows:
Important Note
Java code in Android devices does not run in the Java Virtual Machine (JVM).
Rather, it is compiled in the Dalvik Executable (DEX) bytecode format. A
DEX file contains code that is ultimately executed by Android Runtime.
Let's see how to create a simple hello world application for Android and then unzip it to
look at its components:
1. Android apps are developed using Android Studio. Download and install the
latest version of Android Studio from https://developer.android.com/
studio:
4. Once you click Finish, a new project will be created for a default activity/screen app.
5. You can now try to run the app on any attached Android device, or the virtual
Android emulator. For the latter, create a virtual Android device from the AVD
menu.
6. Once the app runs successfully, we will try to extract the application package for this
app from Android Studio:
9. Use any archive tool to unzip the file and extract its contents:
# unzip MARE-Chapter-1.zip
Figure 1.10 – Extracting the content of the APK, after renaming it to .zip
10. Let's analyze the components inside the APK and compare it with the list here
(Android application fundamentals):
The following diagram shows the processes of forward and reverse engineering an
Android application:
Figure 1.12 – The forward and reverse engineering processes with an Android application
Android applications are mainly developed using Java and Kotlin. The internals of an
Android package are the same whether it is based on Java or Kotlin. Therefore, the
approach to reverse engineer the application is also the same.
We've now learned about the fundamentals of Android applications. iOS apps are also
packaged into a specific format and have a specific structure. Let's look into the iOS
application fundamentals now.
Let's see how to create a simple hello world application for iOS and then unzip it and look
at its components:
1. iOS apps are developed using Xcode. Download the latest version of Xcode from the
App Store on Mac.
Figure 1.22 – Diagram explaining the application (IPA) extraction process via renaming
11. Use any tool to unzip the file and extract its contents:
# unzip MARE-Chapter-1.zip
Figure 1.23 – Extracting the content of the IPA after renaming it to ZIP
20 Basics of Reverse Engineering – Understanding the Structure of Mobile Apps
12. Go into the Payload directory and then inside the MobileAppReverseEngg-
App-1.app file:
# cd Payload
# cd MobileAppReverseEngg-App-1.app
13. Let's analyze the components inside the IPA and compare it with the list here (iOS
application fundamentals):
Summary
The concepts and processes of reverse engineering are very interesting. Through this
chapter, you have learned the fundamentals of reverse engineering both Android and iOS
applications. The concepts explored will help your understanding in the later chapters of
this book as we begin to look at reverse engineering in depth.
In the next chapter, we will learn more about the modern tools used to reverse engineer
iOS and Android apps.
2
Setting Up a Mobile
App Reverse
Engineering
Environment Using
Modern Tools
As you already understand the fundamentals of reverse engineering, let's start exploring
some modern reverse engineering tools that can be used for mobile applications.
In order to reverse engineer mobile apps, we need specialized tools and utilities. Some of
those tools are paid and some are open source. We will try to use the open source tools
and utilities as much as possible, but will also provide you with a commercial alternative,
wherever applicable.
22 Setting Up a Mobile App Reverse Engineering Environment Using Modern Tools
Before we start setting up the tools in our newly created Ubuntu virtual machine, it is
important to understand that some of the tools work for both iOS and Android apps,
while some of them only work on one. For each tool explained, you will find a Use case
example section. This section will provide information about what platform this tool will
work on, that is, iOS/Android or both.
At the end of the chapter, you will also be provided with details about a customized
virtual machine platform for penetration testing and the reverse engineering of mobile
applications, Mobexler.
This chapter talks about some of the fun little utilities, as well as commercial tools, that
can be used for reverse engineering.
In this chapter, we will cover the following topics:
• Tools for the reverse engineering of mobile (Android and iOS) applications
• Setting up an environment for reverse engineering
• Installing and setting up the tools for reverse engineering
• Setting up Mobexler (a mobile application penetration testing platform)
Technical requirements
Download and set up a virtual machine (at the time of writing this book, Ubuntu 20.04.3
LTS is the latest version, and we will be using that) using any virtualization software, such
as VirtualBox or VMware. You can download Ubuntu 20.04.3 LTS (Ubuntu desktop) at
https://ubuntu.com/download/desktop.
For virtualization, you can use the open source VirtualBox (https://www.
virtualbox.org/) or the commercially available version (as well as the free version)
of VMware Workstation Player (https://www.vmware.com/in/products/
workstation-player.html) for Windows, or VMware Player Fusion (https://
www.vmware.com/in/products/fusion.html) for Mac.
The steps to download and set up a virtual machine are not covered, as it is a
straightforward and easy-to-do task. Following any good article/blog post on how to set
up an Ubuntu virtual machine should provide all necessary information. Here is a post
from the VirtualBox official website about creating a Windows-based virtual machine:
https://www.virtualbox.org/manual/ch01.html#gui-createvm.
Tools for the reverse engineering of mobile applications 23
# unzip --help
The preceding command should result in running the unzip utility and showing you all
the different options available.
Now, let's try and unpack an APK file. Simply take the APK file we created in the previous
chapter and try to unpack it using the unzip utility. Make sure the APK file is saved in
the Desktop folder, or create a new folder and save the file in that folder. Once the file
is saved, open Terminal in that folder by right-clicking somewhere inside it and selecting
Open in Terminal.
2. Extract the files from the ZIP file using the unzip utility:
#unzip app-debug.zip
24 Setting Up a Mobile App Reverse Engineering Environment Using Modern Tools
apktool
Tool: apktool
Website: https://ibotpeaches.github.io/Apktool/install/
About: A tool for reverse engineering Android apps
Used for: Android apps
Here are the instructions to install apktool (in Ubuntu):
#wget https://raw.githubusercontent.com/iBotPeaches/
Apktool/master/scripts/linux/apktool
If you see an error related to Java, it might be possible that Java is not installed. In that
case, please install Java with the following command:
1. Once installed, we will simply start Terminal and type the following command:
#apktool d <APK Path>
Figure 2.6 – JADX showing the Java source code from the APK
smali/baksmali
Tool: smali/baksmali
Website: https://github.com/JesusFreke/smali
About: An assembler/disassembler for the dex format used by Dalvik
Used for: Android apps
Follow these instructions to install it (in Ubuntu):
1. Download and save the latest stable version of the tool from https://
bitbucket.org/JesusFreke/smali/downloads/.
2. Use Java to run either of the apps. For example, run baksmali as shown in the
following figure:
strings
Tool: strings
Website: https://www.gnu.org/software/binutils/.
About: The Linux strings command is primarily used for finding string characters
in files. It focuses on determining the contents of, and extracting text from, binary files
(non-text files). Different operating systems might have different arguments.
Used for: Android and iOS apps
To install it (in Ubuntu), run the following command in Terminal:
Ghidra
Tool: Ghidra
Website: https://github.com/NationalSecurityAgency/ghidra/
releases.
About: A software reverse engineering (SRE) suite of tools developed by the NSA's
Research Directorate
Used for: Primarily iOS apps
Follow these instructions to install it (in Ubuntu):
4. Once you start Ghidra, create a project and then choose one of the tools to run, as
shown here:
Radare
Tool: Radare
Website: https://rada.re/r/.
About: Disassembling (and assembling) many different architectures
Used for: Primarily iOS apps
Follow these instructions to install it (in Ubuntu):
1. Download the latest image (ova) file from the Mobexler website: https://
mobexler.com/download.htm.
2. Import the downloaded virtual machine image in virtualization software, such as
VirtualBox or VMware.
3. You can also follow the step-by-step guide on the Mobexler website: https://
mobexler.com/setup.htm.
4. Once imported as a virtual machine, log in to the virtual machine using the
password mentioned in the virtual machine description.
To learn more about the tools installed inside Mobexler, you can visit the Mobexler page
at https://mobexler.com/tools.htm.
#apktool d [apk_nam/path]
Now that we have got the environment fully set up for the reverse engineering of mobile
apps, we will start working on some exercises in which we will reverse engineer real-world
mobile apps. In order to help you understand the concepts better, we will be providing
the source code (as well as the application package) of a real-world application. This
application will be available in multiple formats, that is, Java and Kotlin for Android
applications, and Swift and Objective C for iOS apps.
Summary
In this chapter, we looked at some of the awesome utilities and tools that can be used for
the purpose of reverse engineering Android and iOS applications. Knowing how to use
these tools and when to use them helps in properly reverse engineering apps. As you have
a reverse engineering environment ready with all the tools, either using an Ubuntu virtual
machine or using Mobexler, we can now proceed to actually use these tools and reverse
engineer a real Android or iOS application.
In the next chapter, we will start with a more in-depth analysis of a Java-based Android
application, where we will try to reverse engineer the application, look inside the source
code, and understand its different features.
For the purpose of this book, we have created an Android, as well as an iOS, version of an
app called SecureStorage. In the next chapter, let's look at what the SecureStorage app is
about and how we can reverse engineer it.
Section 2:
Mobile Application
Reverse Engineering
Methodology and
Approach
This section covers Android and iOS apps one by one in separate chapters to look
into how those apps are developed, exploring the internals of the apps and the process
to reverse engineer them. This section covers Android apps, iOS apps built using
Objective-C, and iOS apps built using Swift, ranging from unzipping application packages
to extracting content, as well as binaries. We will look into the process of how to
reverse engineer an application's binary and understand the workings of an application(s).
This part of the book comprises the following chapters:
Technical requirements
This chapter has the following technical requirements:
• An Ubuntu virtual machine with the tools listed in Chapter 2, Setting Up a Mobile
App Reverse Engineering Environment Using Modern Tools (only Android-specific
tools).
• Download the SecureStorage Android application source code from this link:
https://github.com/0ctac0der/SecureStorage-AndroidApp
Important Note
What is bytecode?
To run a Java program on a computer, we need to convert the high-level code
(source code or program code) to machine code. The compiler converts the
code from a high-level language to a low-level language; the output of the
compilation process is bytecode. Bytecode is the low-level code, which is
mainly the instruction set for software interpreters or virtual machines (such as
JVM). Finally, the bytecode is translated by an interpreter into machine code.
1. The developer writes the application code (such as Java or Kotlin) in the Android
development environment, Android Studio.
2. The written code is compiled to Dalvik executable (.dex) files using DEX
compilers, which will run in the ART environment (as well as the Dalvik virtual
machine).
3. The compilers in Android Studio will also compile the other resource files, JAR
libraries, and other libraries (if any).
4. The compiled .dex files and the compiled resources will be packed together to
create the Android Package (APK).
Important Note
For an Android application developed using Java, the code is compiled to DEX
bytecode. The reverse engineering process works in the opposite direction –
extract the .dex files from the APK and convert them to Java code.
The reverse engineering of Android applications 43
The final application package (meaning the APK) will contain the following important
files and folders, together with other entities:
SecureStorage is a simple Android application that can be used to store credit card
information on the device. A user will have to sign in with the correct password to be able
to access the stored information.
44 Reverse Engineering an Android Application
You can install the downloaded application on the Android virtual device to see how it
works. Some of the screens look as follows:
If the user does not have an account in the app, they can create an account from the Join
Today screen, which looks as follows:
Once logged in, users get multiple options to save a credit card, modify an already stored
card, and view previously added cards. The following screen shows all those options:
So far, we have looked into details of how Android apps are developed and run on
a device, and their internal components, and have also installed an app (SecureStorage).
Now, let's move forward to start reverse engineering the app and look at what's
hidden inside.
Extracting the Java source code 47
# cd bin/
# ./jadx-gui
In the JADX window, open the APK file you just downloaded. Refer to Chapter 2, Setting Up
a Mobile App Reverse Engineering Environment Using Modern Tools, to see how to do this:
Important Note
The decompiled Java code from JADX is generally not recompilable.
When code is highly obfuscated, or the Java code is difficult to obtain, we can convert
the .dex files (Dalvik bytecode) to smali. The .dex files contain the binary Dalvik
bytecode, which is not at all easy to read or modify, so it is useful to convert that bytecode
into a more human-readable format, smali. So, it is an approach to understand the code
through the decompiled code from JADX and use the smali version to edit any part of
it and then recompile it. A pair of tools called smali and baksmali, which are technically
an assembler and a disassembler, can be used to convert the smali code to .dex format,
and .dex to smali, respectively.
# apktool d app-debug.apk
Once the APK has been decompiled, navigate to the folder created (in this case
app-debug), and you will find several subfolders inside it with the name smali*. These
folders contain the converted smali files from the .dex files in the APK:
# cd smali_classes5/com/example/securestorage/adapter
The following figure shows the list of smali files in the directory:
# cat CardDetailsAdapter.smali
50 Reverse Engineering an Android Application
• Extracted the content of the APK, by using a tool such as unzip. This is not the
decompiling of the APK but a simple extraction of contents, following the unarchive
process. That's why the compiled resources such as AndroidManifest.xml will
not be readable. (Refer to Figure 3.5.)
• Used the JADX tool to get the decompiled Java source code from the APK. It is
easier to use this decompiled code in JADX to understand the functionalities of
the application and different classes, for example. However, if we needed to modify
any of the content of this source code, it would be very difficult to recompile it.
Also, JADX might not be able to convert all the .dex files properly to Java code (in
readable format). (Refer to Figure 3.6.)
• Decompiled the APK using apktool, which also resulted in getting the smali
version of the code. The smali format is comparatively easy to modify and
recompile. (Refer to Figure 3.7.)
We can also use the smali/baksmali tools independently to convert the .dex files
to smali code, and vice versa. To do so, we can take any of the .dex files from ZIP
extracted contents and run baksmali on them.
Let's take the classes4.dex file and copy it to the folder where the smali/baksmali
tools are saved:
Figure 3.12 – Copying the classes4.dex file to the smali tool folder
52 Reverse Engineering an Android Application
Now, open the Terminal window in the same folder by right-clicking and selecting the
Open in Terminal option. In the Terminal window, run the following command:
You will see a new directory created with the name app and it will have the smali files
located at app/com/example/securestorage/adapter:
{
"email":" 41ZEyV2TFKvkjJwulP7I4hY8qEZaYagik2R6BHJFrPg= ",
"password":"crGTh+mckBpwBxXOKTQpWQ=="
}
In this case, it is important to understand how the values of the email and the password
are being encrypted to create ciphertext that is being sent as a part of the HTTP request.
The answer to this question might be found by reverse engineering the application and
exploring the source code to understand the classes where the encryption of input values
is being done.
Similarly, there could be other examples in which different functionalities of the app
have a complicated implementation. In all such cases, reverse engineering the application
generally helps in understanding the logic.
As well as that, there are other cases where the reverse engineering of the application can
be very much required during a penetration test. Some of the cases are as follows:
• Finding the API calls, or endpoints that the application is making to the backend.
• Understanding the way some security controls are implemented in order to bypass
them. For example, certificate pinning is a security control implemented in a
lot of mobile applications to ensure that an application only establishes the TLS
connection using the certificate inside the package, and no external user-installed or
system-installed TLS certificate is trusted. To implement this, the application code
verifies that the TLS certificate presented during the SSL handshake is the same as
the one stored inside the application package.
One of the common tests performed during root detection is to verify whether an
application with the name SuperUser is installed on the device or not. By reverse
engineering the application, a penetration tester can find these types of tests that
are being done by the app. Then, they can modify the corresponding smali file to
return a false result and therefore bypass the root detection.
• Finding hardcoded sensitive information inside the application code, such as
backdoor accounts, API keys and secret, unpublished backend endpoints, and
hidden menus.
• Finding interesting strings in the code.
• Finding points of encryption and obfuscation, so that they can be decrypted and
de-obfuscated.
54 Reverse Engineering an Android Application
Reverse engineering also helps in learning more about the important components of an
application. A penetration tester would be able to find details of the following components
through reverse engineering:
• Activities: Components that provide a screen with which users can interact.
For example, Figure 3.2, Figure 3.3, and Figure 3.4 show the activities of the
SecureStorage application.
• Broadcast receivers: Components that receive and respond to broadcast messages
from other apps or from the operating system.
• Services: Components that perform operations in the background.
The majority of these components are listed in the AndroidMinfest.xml file, and the
same components can be read/explored from the JADX code or smali files. Let's look at
the AndroidManifest.xml file of the SecureStorage app:
The AndroidManifest.xml file mentions that there are five activities in this app:
• com.example.securestorage.activity.LoginActivity
• com.example.securestorage.activity.HomeActivity
• com.example.securestorage.activity.SignupActivity
• com.example.securestorage.activity.SaveCardInfoActivity
• com.example.securestorage.activity.CardDetailsActivity
We can further explore the implementation of any of these activity components as shown
in the following figure in the respective section in JADX:
We can select an activity and look at the code. Let's see how SaveCardInfoActivity
is implemented:
cardInfo.setCardHolderName(SaveDataUtils.
getEncryptedData(this.etCardHolderName.getText().toString()));
SaveDataUtils.updateCardInfo(cardInfo, this.
itemPosition);
CommonUtils.showToast(this, "Card Details Edit
Successfully");
}
It should also be noted that there is an EncrytionUtils inside the utils section.
EncryptionUtils is called via the getEncryptedData function (inside
SaveDataUtils):
From the preceding code, we can see that the application seems to be performing
Advanced Encryption Standard (AES) encryption on the data before saving it on the
device. The encryption is a symmetric encryption, which uses the same key to encrypt and
decrypt the data. The key is also a part of the decompiled source code.
That's a security issue – hardcoding the encryption/decryption key in the application code
itself. The key is mentioned in the following line:
There are several different types of vulnerability that can be discovered by analyzing the
reverse engineered code. For example, you can find arbitrary code execution if a section
of application code allows code from other apps to run. This type of issue could be
discovered by reverse engineering the application and analyzing its code.
So far, we have been working on a debug release of the application. A debug release does
not always contain all the security controls that the release build of the application has.
One of the most important things missing in the debug release is often code obfuscation.
Modifying and recompiling the application 59
Important Note
To install this modified APK on a device, we will need to sign in with a key.
You can generate a key using the keytool tool and then use jarsigner to
sign the application again.
Making smaller changes, such as modifying strings or changing a few static elements
of the application, is easier and can be done simply by following the preceding steps.
However, to recompile the application after big changes in the smali code, you will need
to follow some more recommendations.
Developers may use the default obfuscation tool ProGuard, available in Android Studio,
or also use a third-party obfuscation tool available in the market. Depending upon the
type of obfuscation used, the de-obfuscation technique should be changed. ProGuard is an
open source command-line tool that can be used to obfuscate Java code.
One of the ways to de-obfuscate the DEX bytecode is by identifying and using the
de-obfuscation methods in the application. This can be done by running the Java code
of de-obfuscation methods (the de-obfuscation method code implemented) on the other
classes that you want to de-obfuscate.
To understand better, download the release build of the SecureStorage application from
the following link:
You can see that the class names have been modified to random letters. On further
analysis, you will notice that the utils section no longer seems to have classes other than
CommonUtils. But, for the app to function, the encryption class and the key have to be
there in the code itself.
It is possible to further explore the reverse engineered source code to find the correct
place where the EncryptionUtils class is:
# class:
#-keepclassmembers class fqcn.of.javascript.interface.for.
webview {
# public *;
62 Reverse Engineering an Android Application
#}
Summary
This chapter explained how Android applications are developed, compiled, and packed.
We learned how to perform reverse engineering on Android applications to create the
original Java source code. Once the Java source code is decompiled from the APK, we
learned what to look for in the app and how to find security issues. Obfuscation and
de-obfuscation are also important parts of reverse engineering, and we learned how
a developer may implement some basic ProGuard obfuscation on the application code
before creating the release build. However, it is not always required that the whole
decompiled application code is de-obfuscated as well.
In the next chapter, we are going to have a closer look at reverse engineering an iOS
application. We will explore the tools used for that and will also learn how to enumerate
interesting bits in the decompiled application binary of an iOS application.
4
Reverse Engineering
an iOS Application
In comparison to Android apps, reverse engineering an iOS application is a bit more
complicated. This is mainly due to the security controls that are implemented by iOS and
the way Apple manages application installation and verification across all iOS devices.
For example, to get the iOS App Store Package (IPA) from a device running on the
application, you can't simply extract the IPA and install it on another iOS device. This is
because all the applications that are installed from the Apple App Store are encrypted on
the device. Here, you would be required to extract a decrypted IPA and then sign it again
to be able to run it on another iOS device.
In this chapter, we will cover the following topics:
Technical requirements
We will be using the same virtual machine setup for Ubuntu that we used in the previous
chapter. However, it might be useful if you have a Mac laptop or computer and an
iOS device.
For this chapter, the following tools need to be installed:
Once the compilation process has been completed, the IDE creates the final package
– that is, the IPA. The IPA contains all the necessary resources, certificates, assets, and
binary files. Before we start reversing, it is important to learn about the structure of the
executable binary.
As we dive deeper into the binary structure and reverse it, we'll use a sample application
and perform the same steps. Here, we will be using the iOS version of the SecureStorage
application. The iOS application has two variants – one that's developed using Objective-C
and another that's been developed using Swift. In this chapter, we will be working with the
Objective-C version of the app.
You can download the Objective-C version of the application from the following
GitHub link:
IDEs for iOS apps in Xcode can only run on Mac-based systems. However, since we are
working on reverse engineering the application, we do not need the Xcode IDE. The
only thing we need to start is the application package – that is, the IPA – and this can be
downloaded from the link mentioned previously. The iOS version of the application also
looks the same as the Android version. The following are some of the screenshots of the
SecureStorage application running on iOS:
Important Note
To extract the unencrypted IPA, we need a jailbroken iOS device running
the target application. When the app runs in the device memory (process
memory), it is in an unencrypted state. Utilities such as frida-ios-dump
and frida-ipa-dump extract all the unencrypted application files from
memory and combine them in the IPA. Reverse engineering can then be
performed on the extracted IPA, but to reinstall that IPA on another device,
it would need to be signed by an Apple developer certificate. Another utility
(https://www.iosappsigner.com/) can be used to sign the IPA.
For now, let's download the package from the GitHub link mentioned previously
(https://github.com/0ctac0der/SecureStorage-ObjC/releases/
download/0.1/SecureStorageObjC.ipa) and save it in a directory called iOS
on our virtual machine environment's desktop. As we already know, the IPA is also a
compressed (ZIP) file containing different assets and files. So, let's unzip the file directly
using the unzip utility in Linux.
As shown in the preceding screenshot, once the file has been unzipped, a new folder
will be created called Payload. All the iOS packages contain a Payload folder. This
Payload folder contains a .app file, which often has the same name as the binary
(application). In this case, if you navigate inside the Payload folder, you will find the
.app file – that is, SecureStorageObjC.app:
Analyzing all the strings in the application binary is very important while testing the
application for any sensitive hardcoded information inside the application code. Several
interesting things might be hardcoded in the application, such as an internal IP address,
internal application URL, hardcoded key and secret, encryption keys, and more.
We now have all the strings of the binary. At this point, we can analyze them to find
interesting hardcoded details.
While developing the iOS applications, all the application code is compiled into machine
code. That is why, to analyze the iOS application's binary, we would need a disassembler.
So, let's move on and disassemble the binary using a more advanced reverse engineering
tool, Ghidra.
Using Ghidra
In Chapter 1, Basics of Reverse Engineering – Understanding the Structure of Mobile Apps,
you learned how to install Ghidra on our virtual machine environment. Now, let's use the
same installation steps and disassemble the binary:
1. To start Ghidra, open a "terminal" and navigate to the directory where Ghidra was
downloaded. This directory should contain a file named ghidraRun.
2. To run it, simply run the following command in the Terminal window:
# ./ghidraRun
3. This will open the Ghidra project window. Choose the Tools | CodeBrowser option
to open the code browser utility. (Refer to Chapter 2, Figure 2.5.1 – Starting Ghidra
CodeBrowser.)
4. In the CodeBrowser window, you can drag and drop the binary file to start
disassembling it. When the binary file has been dropped in the CodeBrowser
window, it will automatically find the format and architecture of the binary.
Important Note
Operation code (opcode) is also known as instruction code/syllable/parcel or
opstring code. It is the section of a machine language instruction that explains
what operation is to be performed.
Reverse engineering an iOS app 73
6. Once you click Yes, Ghidra will show all the available Analysis Options, as shown
in the following screenshot:
Important Note
The auto analysis process may show some warnings at the end. Generally, these
warnings can be ignored as they are not interesting from a reverse engineering
perspective.
76 Reverse Engineering an iOS Application
Previously in this chapter, we discussed that each binary file begins with a header (called
a mach header), which contains a magic number that can be used to identify it. The mach
header for this binary is visible on the pane in the center, as shown in the following
screenshot:
For the SecureStorage application, you might be interested in finding whether the
application encrypts the data, and if it does, then you will want to find out what type of
encryption is being used and where the encryption key is.
So far, we have reverse engineered the application using different tools and analyzed it.
It is also important to understand how to manually review the disassembled application
binaries to find what you are looking for.
When Hopper Disassembler is run for the first time, it will ask for a License File, but as
we are only going to use the demo, click the Try the Demo button.
After that, simply drag and drop the application binary into the Hopper Disassembler's
middle pane. Similar to Ghidra, Hopper will also provide the details of the binary it is
importing. Click on OK, without changing any of the other options for checks (unless you
are sure about what you are doing).
The tabs on the left pane of Hopper are interesting to start with. The most important tabs
are Labels, Strs, and Procs. The Labels tab contains different memory addresses, along
with their associated names and instruction sets. The Strs tab shows all the strings in the
binary (similar to what we extracted using the strings utility). All the methods that were
used in the application can be found in the Procs tab. Hopper also shows the pseudocode
for a specific part/function when it's selected. To view the pseudocode for any section,
select the section and then click on the Show Pseudo Code of Procedure button on the
toolbar. The following screenshot shows the pseudocode for the +[GeneralUtilssave:]
label:
Let's search the Strs tab in the disassembled app in Hopper for anything related to the
encrypt keyword:
Figure 4.22 – Hopper showing all the references to the aEncryptKeyiv keyword
84 Reverse Engineering an iOS Application
Looking closely at the selected reference, you will notice a long integer right above it, as
shown in the following screenshot. This is the encryption key that's being used.
You will find that the encryption key was part of the originally extracted secrets. However,
it might be difficult to figure out what this key is being used for if we did not have the
disassembled binary to analyze.
• otool: This is used to dump different libraries and find any deprecated libraries that
are being used. The following command can be used to list all the libraries being
used in the SecureStorage application:
#otool -L [path to binary file]
The following screenshot shows the output of otool for the SecureStorage app:
The following screenshot shows the dumped entitlements for the SecureStorage app
when using codesign:
Having access to a Mac and being able to run Mac utilities while you're reverse
engineering iOS apps can be helpful. However, tools such as strings, Hopper, and Ghidra
allow Linux users to perform almost all the necessary tasks.
Summary
In this chapter, you learned how iOS applications are developed, compiled, and packed.
Then, you learned how to reverse engineer iOS apps and disassemble the binary. The
reverse engineering process can go even further and help you analyze the disassembled
native code and libraries. Reviewing the disassembled or reverse engineered code requires
knowing the relevant architecture and instructions. During a penetration test, reverse
engineering can help you find several security issues.
In the next chapter, we are going to look at reverse engineering an iOS application that's
been developed in Swift. We will look at the differences between reverse engineering a
Swift-based application and an Objective-C application.
5
Reverse Engineering
an iOS Application
(Developed Using
Swift)
In the last chapter, we discussed how iOS applications, developed using the Objective C
programming language, can be reverse engineered and disassembled to extract useful
information from the binary.
Swift is now (at the time of writing – December 2021) the official language for iOS
application development. The majority of the modern iOS applications are developed
using Swift, as it provides some great benefits, such as better code readability. Swift
generates a compiler error as you write code so that issues can be fixed right away, and it
has better memory management, less code (in comparison with Objective C), support for
dynamic libraries, and so on.
88 Reverse Engineering an iOS Application (Developed Using Swift)
Technical requirements
We will be using the Ubuntu virtual machine setup, which we used in the previous
chapter. This chapter will need the following tools to be installed:
• Radare2 (https://github.com/radareorg/radare2)
• Ghidra (https://ghidra-sre.org/)
• The GitHub repository (for full source code) of SecureStorage application (the Swift
version): https://github.com/0ctac0der/SecureStorage-iOSApp.
• The link to download the application package (the SecureStorage Swift version):
https://github.com/0ctac0der/SecureStorage-iOSApp/
releases/download/0.1/SecureStorage.ipa.
Understanding the difference between Objective C and Swift applications 89
Let's have a look at how the code looks for the same application (SecureStorage) in Swift
and Objective C, respectively:
• For each class, the Objective C project (Figure 5.2) has a header (a .h file) and an
implementation file (a .m file), also known as a compilation unit. However, in Swift,
the header is not mentioned separately.
• In general, Swift requires fewer lines of code than Objective C for the same task. The
lines of code in both projects can be calculated by using the following command in
the terminal when it is running in the same directory as the project:
# find . "(" -name "*.m" -or -name "*.mm" -or -name "*.h"
-or -name "*.cpp" -or -name "*.swift" ")" -print0 | xargs
-0 wc -l
Understanding the difference between Objective C and Swift applications 91
The preceding command will search for all file formats matching .m, .h, .swift,
and so on, recursively in all folders, and will then find the number of lines in those
files, finally giving a count of the total lines of code.
The following screenshot shows the number of lines of code in Swift:
Apart from the visible differences in the projects, there are some other differences too,
such as the following:
• Swift only has classes, whereas Objective C has both classes and structs.
• Swift is comparatively faster in compilation than Objective C.
• Swift is an Apache-licensed open source project.
• Dynamic libraries are supported in Swift but not in Objective C.
In order to further understand how the two languages differ from a reverse engineering
point of view, we will analyze the code snippet, which does the same task, in both
languages.
Swift code
func loginWithUserName(userName : String, password : String){
let str1 = userName
let str2 = password
}))
self.present(alert, animated: true, completion: nil)
}
Understanding the difference between Objective C and Swift applications 93
Objective C code
-(void)loginInAppUsing :(NSString*) userName and : (NSString*)
password{
When the binaries storing the preceding code are disassembled using a tool such as
Ghidra, we get the following results.
94 Reverse Engineering an iOS Application (Developed Using Swift)
Figure 5.5 – The disassembled code of the binary with Swift code
Disassembled Objective C code (entry function):
Figure 5.6 – The disassembled code of the binary with Objective C code
Reverse engineering a Swift application 95
From the preceding decompiled code, we can see that the Swift version of the code is
comparatively more difficult to read or analyze than the Objective C version. For simpler
tasks, such as extracting class information and finding strings in the binary, it is possible
to use the same tools that we use for Objective C. However, the same tools might not give
the desired output a lot of the time with Swift binaries.
In the next section of this chapter, we will use an advanced reverse engineering framework
known as Radare2, or r2. You can find the official GitHub repository of Radare2 here:
https://github.com/radareorg/radare2. The Radare2 framework contains
multiple tools/utilities that can be used to perform different tasks such as extracting
information from executable binaries, debugging apps, assembling, and disassembling.
In the next section, we will install the Radare2 framework on our Ubuntu virtual machine
and look into its use for reverse engineering a Swift-based application.
Important Note
Together with Frida-based tools such as frida-ios-dump and frida-
ipa-dump, there are several other applications available for jailbroken
devices that can help to extract an unencrypted application from the device.
Most of these applications can be downloaded on a jailbroken device using
Cydia (a third-party application installer for jailbroken iOS devices).
Once the application is downloaded, please follow the steps to extract the application
binary from the package by unarchiving it (refer to the Reverse engineering the iOS app
section of Chapter 4, Reverse Engineering an iOS Application).
We will create a directory named swift on our Ubuntu virtual machine and save the
extracted Swift binary in that directory.
As mentioned before, to reverse engineer the Swift binary, we will be using the Radare2
framework.
96 Reverse Engineering an iOS Application (Developed Using Swift)
1. To install the Radare2 framework using pip, we first need to install the pip utility
by running the following command:
# sudo apt install python3-pip
• radare2: This is the main tool of the whole framework, and its main purpose is
to perform disassembling, binary patching, data comparison, and more on several
different types of input/output sources and files.
• rabin2: A tool to extract information from executable binaries, such as Mach-O.
• rasm2: An assembler and disassembler for different architectures.
You can read more about the other tools of the framework in the official documentation:
https://book.rada.re/.
98 Reverse Engineering an iOS Application (Developed Using Swift)
We will be using the tools of the Radare2 framework to extract information from the
binaries as well as to find any sensitive data stored.
To start with, we can analyze the metadata of a Swift binary file. Analyzing the metadata
can help in identifying the binary architecture, finding out whether the binary is stripped,
or an ELF type, whether there are binary protections, and more. Once you download the
SecureStorage IPA file (https://github.com/0ctac0der/SecureStorage-
iOSApp/releases/download/0.1/SecureStorage.ipa), extract the binary
from it and then run the following command to analyze the binary using r2:
# r2 SecureStorage
# i
In the preceding code snippet, with r2 SecureStorage, we run Radare2 on the Swift
binary of the SecureStorage application, and then with the i command, we extract the
information about the binary. The extracted information has some interesting details
about the binary, such as architecture, format, and protections (NX, canary, and relocs
(indicates that the binary performs runtime relocation)).
Here, –zzz stands for show strings (like a gnu "strings" utility does).
The following screenshot displays the output:
# iz
# is
Reverse engineering a Swift application 101
Once the binary file has been analyzed, we can then run the afl command to extract all
the functions. Refer to the following screenshot for the same:
Figure 5.16 – Finding the entry point and the main address
Reverse engineering a Swift application 103
Let's say we are interested in finding where a specific string in the binary is being
referenced. One of the extracted strings is a very long string.
# /
8873456HFEIFHFIUDFHT38256239R9F8SDCFUWEYGR87465823568EWIFH89T5
# aaa
104 Reverse Engineering an iOS Application (Developed Using Swift)
# axt 0x1000186c0
# s main
# pdf
Reverse engineering a Swift application 105
The following screenshot shows all these commands being run on the binary:
To analyze a function in visual mode or with a more visual presentation, we can use
visual mode, using the VV command. To do so, you first need to move the pointer to the
function and then run the VV command.
It is a good idea to run the afl command first and list the functions.
We can scroll further down to see the flow of logic and understand the function better.
Important Note
Position-independent code is the machine code that can execute properly (if in
the primary memory) regardless of its absolute address and can be executed at
any memory address without modification.
Important Note
Non-Executable Stack (NX) is virtual memory protection implemented to
block code injection by restricting a particular memory and implementing the
NX bit.
Important Note
A stack canary is a defense against memory corruption attacks. It is a value on
the stack that will be overwritten by a stack buffer that overflows to the return
address. When the function returns, the integrity of the canary can be verified
to detect any overflow.
Summary
This chapter explained Swift programming and Swift-based iOS applications (binaries). To
reverse engineer a Swift-based application binary, we can use previously used tools such
as Hopper or Ghidra. But in this chapter, we saw how to use the Radare2 framework and
explore the internals of the binary, extract useful information, and navigate to the code
logic/flow.
110 Reverse Engineering an iOS Application (Developed Using Swift)
As we saw that the iOS applications have compiled binaries, which are used during
reverse engineering, to analyze the binaries further, we would need the knowledge of
binary reverse engineering as well as how the processor instructions work. Generally, the
reverse engineering of mobile applications is done during a penetration test, malware
analysis, and so on. Understanding the assembly instructions and different architecture is
very much a prerequisite for advanced reverse engineering. The more you explore these
fantastic tools and perform reverse engineering of different types of applications, the more
you will end up learning. Different applications are built with different logic and program
flow; that's why there is never a set of steps or a checklist to follow while analyzing
applications for security issues. However, a lot of answers can be discovered by diving
deeper into the analysis through reverse engineering.
In the next chapter, we will look into the open source and commercially available tools for
reverse engineering (specifically for mobile applications). We will also look into the details
of the features that an open source reverse engineering framework might lack.
Section 3:
Automating Some
Parts of the Reverse
Engineering Process
This section talks about different open source and commercial reverse engineering tools,
ways to automate some parts of reverse engineering, and vulnerability discovery in mobile
apps. This section also presents some case studies for when automating a process could
be very helpful. Finally, we will end the book with details on topics to learn further and
a path to diving deeper into binary analysis and mobile application reverse engineering.
This part of the book comprises the following chapters:
Different reverse engineering tools offer different (and unique) features. It also often
becomes a personal choice of which tool you want to use, and for what purpose. For
example, I prefer using Hopper Disassembler for all iOS binary reverse engineering over
Ghidra. This is primarily because I feel more comfortable working with Hopper than
Ghidra. Another reason for someone to prefer Radare2 over Ghidra could be that they like
working on a command-line interface rather than a graphical user interface, or the visual
mode of Radare2 looks cleaner than having all the disassembled code in one window.
There is a lot of similarity between the features and support that these tools offer, but
there are crucial differences, which might make one tool more suitable for a particular job
over another.
To help you understand the pros and cons of one tool over another, in this chapter, we will
be covering the following topics:
Technical requirements
We will be using the Ubuntu virtual machine setup that we used in the previous chapter.
This chapter does not have any additional technical requirements.
• Ghidra: Probably the most common and advanced open source and free reverse
engineering tool used for mobile application reverse engineering. Some of the key
capabilities of Ghidra include assembly, disassembly, and decompilation. Ghidra
supports a wide variety of processor instruction sets and executable formats.
The official GitHub repository can be found here: https://github.com/
NationalSecurityAgency/ghidra.
• The Radare2 framework: A multi-architecture and multi-platform tool, capable of
assembling and disassembling executables, which it can also perform binary diffing
with graphs and extract information. A more detailed capability list can be found on
the official Radare2 page: https://www.radare.org/r/.
The official GitHub repository can be found here: https://github.com/
radareorg/radare2.
• JADX (only for Android apps): Unlike the iOS binary, it is comparatively easier
to reverse engineer Android apps. This is mainly because the dex file can easily
be converted to Java code. One of the most common tools used for this purpose is
JADX. This is basically a Java decompiler; it can decompile Dalvik bytecode to Java
classes from APK, dex, aar, aab, and more.
The official GitHub repository can be found here: https://github.com/
skylot/jadx.
Next, let's look at commercial tools.
The following list gives information about some of the commonly used closed source tools
for reverse engineering:
Important Note
The preceding list of open source and commercial reverse engineering tools
is not an exhaustive list. These are just the most commonly used and famous
reverse engineering tools available.
When it comes to reverse engineering of mobile applications, the choice of tool depends
majorly on the following factors:
We now know about the commonly used open source and commercial reverse
engineering tools. Let's also understand the capabilities required from these tools during
a penetration test.
118 Open Source and Commercial Reverse Engineering Tools
• Reverse engineer the application to find the logic (or function) of how these URLs
are generated.
• Perform runtime instrumentation to analyze the application while it is running. In
this method, we inject a piece of code inside the running process of the application
and then analyze its behavior. One of the commonly used tools to perform runtime
instrumentation is Frida (https://frida.re/).
On disassembling the application binary and analyzing the logical flow during that
specific step, it was revealed that the application creates an SHA-256 hash of the user's ID
and session ID. This hash is then used as a part of the URL, such as the following:
p_web_site_id=3982358328326&p_language=EN&p_show_form_in_
div=N&p_format=HTML&p_print=JSONP&p_joblocation=WWW&p_
current_host=gdx9tof61hm58kkaz4k0dp3qnht8hx
Important Note
The SHA-256 hash is created from the id=53e726ce-
954f-4291-9968-063521b87483;
sessionId=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ
zdWIiOiJ1c3JfMTIzIiwiaWF0IjoxNDU4Nzg1Nzk2LCJleHAiO
jE0NTg4NzIxOTZ9.-LzT9cobGUNslZ4JSELQFwSxp5JpT5o6Kt
MO8ySR-20 string. You can use any hash creator tool to create this hash.
120 Open Source and Commercial Reverse Engineering Tools
The previous implementation suggests that it was intended to hide the actual URL and
only allow the request with a valid hash to access the endpoint. The hash is also calculated
on the application server and matched with the hash in the request, and then internally
redirected to the correct URL. Once it was confirmed that the actual URL is rather static,
a content discovery fuzzing of the endpoint was done. This revealed that the internal URL
was in fact exposed publicly also. Here, an assumption was made by the developer as well
as the DevOps team that no one will be communicating with the actual URL, and hence,
no one really validated whether the actual URL was accessible directly or not.
Solving a challenge such as this requires good disassembling, search, and de-obfuscation
features in a reverse engineering tool. Open source tools such as Ghidra and Radare2 can
very well be used to solve this.
The reverse engineering capabilities required during a penetration test might differ from
that during malware analysis. In a penetration test, reverse engineering is generally
done to solve a piece of a puzzle or to explore some functionality. However, during
malware analysis, reverse engineering is done to explore every piece of an application and
understand all hidden features and code. Let's have a look at a malware analysis case study.
There are numerous such cases when a more advanced feature is required in a reverse
engineering tool or the tools need to support different types of architectures. Interface
choice is also a big reason why some might prefer one tool over another.
Summary
This chapter talked about some commonly used open source and commercial reverse
engineering tools. We also discussed some case studies to understand what type of
features and capabilities would be required in a tool to solve the problem. For the majority
of tasks done during a penetration test, basic disassembling and debugging are needed,
so an open source reverse engineering tool would be enough for such a requirement.
However, for more advanced features and capabilities, we would have to go with a
commercial reverse engineering tool such as IDA Pro or Hopper. It is also important to
feel comfortable with the graphical interface (or visual mode) that each of these tools have.
That's another reason why someone prefers one reverse engineering tool over another. For
the reverse engineering of mobile applications, the important features/capabilities that the
tools must have are the disassembly and assembly of OSx and dex files, decompilation,
graphing, patching of the binary files, and string search.
Tools such as Ghidra and Radare2 can very well perform the aforementioned tasks.
Another important point is that the Android application binaries can be reverse
engineered easily, in comparison to the iOS application binary. This is basically because
the dex files can be converted to Java code, using a decompiler such as JADX.
In the next chapter, we will look at some of the ways we can use automated scanners,
which can also perform a bit of reverse engineering. This might be useful when you have
a huge list of applications to reverse engineer and only want to find some basic things
in those apps – for example, I am looking for a specific string in a hundred different
applications, or I am interested in only checking for some binary protections on hundreds
of mobile app binaries. Such tests can be easily automated using open source tools. We
will look more closely into this in the next chapter.
7
Automating the
Reverse Engineering
Process
During a penetration test or malware analysis, reverse engineering is generally performed
on one binary (or application) at a time because the aim of reverse engineering is to
analyze a single application. However, there can be cases when you need to quickly
analyze a lot of applications for some generic details. For example, you want to find out
whether a specific method is being used in any of the applications you are working on, or
you want to find out whether a specific string (or strings) is a part of any of the available
application binaries.
In such cases, it would be really helpful if you could automate these tasks. A static analysis
is often the very first step during a black box penetration test of a mobile application. The
static analysis helps to quickly analyze the application based on the reverse engineered
code, extract strings, analyze the binary for some basic protections, and can also perform
a quick malware analysis. So, let's have a look at how we can automate some part of the
static reverse engineering using open source tools as well as some scripting.
124 Automating the Reverse Engineering Process
• Using an open source tool to automatically perform a static analysis of Android and
iOS applications
• Understanding a case study to automate a few reverse engineering tasks
• Writing scripts to automatically perform a few tasks on binaries
Technical requirements
We will be using the Ubuntu virtual machine setup, which we used in the previous
chapter. In this chapter, we will be using Docker inside the Ubuntu virtual machine to run
Mobile Security Framework.
• Extract details about the application from the application's manifest (for Android)
or PLIST (for iOS) files.
• Analyze the binary for protections such as Automatic Reference Counting (ARC),
code signing, and Position Independent Executable (PIE).
Important Note
ARC is used for automatic memory management in iOS apps. This is done by
handling the reference count of objects at the time of compilation.
The PIE flag is used in iOS application binaries to protect against Address
Space Layout Randomization (ASLR) by randomizing the application object's
location in the memory for every application restart.
Automated static analysis of mobile applications 125
• Reverse engineer the application binary to extract Java code (for Android apps),
classes (for iOS apps), strings, and so on
• Analyze the binary for the use of insecure APIs.
These are some of the initial test cases to be performed, and a lot of this can be done by
analyzing the reverse engineered binary. The most famous tool used for static analysis of
mobile applications is Mobile Security Framework (MobSF). Let's set up MobSF and
perform automated reverse engineering on SecureStorage iOS and Android applications.
MobSF
MobSF is an open source security assessment framework for mobile applications. It
supports mobile app binaries (APK, XAPK, IPA, and APPX) along with zipped source. We
are going to have a look at the use of MobSF in quickly reverse engineering and analyzing
the reverse engineered binaries.
The MobSF GitHub repository can be found here: https://github.com/MobSF/
Mobile-Security-Framework-MobSF.
Setting up MobSF
As per the official documentation, we can set up this tool on a Linux virtual machine
either by cloning the repository and then running the setup.sh file or using a Docker
container.
Important Note
MobSF requires Xcode command-line tools for IPA analysis, which can only
work on Mac, Linux, and Docker containers.
Let's set up MobSF using the Docker container and analyze the SecureStorage application.
To do so, we first need to install Docker on our Ubuntu virtual machine. The steps to
do so can be found on the official Docker website: https://docs.Docker.com/
engine/install/ubuntu/.
126 Automating the Reverse Engineering Process
Once Docker Engine has been installed, you can verify whether it's running properly by
using the following command:
Once this is done, you should be able to access the MobSF dashboard at
http:127.0.0.1:8000.
As you can see, a lot of these tasks are the same as the ones we performed during our
manual reverse engineering of the Android application. Once the analysis is done, we
can use the MobSF dashboard to download the reverse engineered JAVA code, strings,
AndroidManifest file, and more for a manual analysis. MobSF also performs an
automated analysis of the extracted content and provides us with a report containing all
the information (including any security issues discovered).
Once the analysis is done, we can download the reverse engineered entities, such as
strings, classdump, and Info.plist.
MobSF also performs a quick check on the binary for some protections.
Note that this is the same information that we collected during the manual reverse
engineering of the SecureStorage binary using Radare2 in Chapter 5, Reverse Engineering
an iOS Application (Developed Using Swift).
The REST APIs in MobSF can also be used to further automate the process of static
analysis of the applications.
Using MobSF, we have automated some part of the basic reverse engineering that we
did manually in Chapter 3, Reverse Engineering an Android Application, and Chapter 4,
Reverse Engineering an iOS Application. However, this is in no way an alternative to a deep
manual analysis of the reverse engineered binary implemented during a penetration test
or malware analysis.
However, using a tool such as MobSF can be extremely helpful while performing an
analysis of a large number (>5) of applications in a quick timeframe. The automation
reduces the overhead time.
Let's understand this using a case study.
3. Once the analysis is done, a JSON format of the report could be fetched and
analyzed to find the value of checks we are interested in:
1. Extracting all dex files from the APKs, using the unzip utility
2. Running strings on all dex files and saving the result in different text files
3. Grepping through all the text files containing strings to search for our specific
strings
#!/bin/bash
#For all files in the directory (all APKs are in this
directory):
Case study two – automating test cases to find security issues 133
Important Note
The preceding script might also create directories with the names classes.
run.sh (run.sh is the bash script in the same directory) and classes.
temp (temp is the folder being created). To remove these directories, add the
following two lines in the bash script:
rm -rf classes.run.sh
rm -rf classes.temp
The preceding script will automate the process of extracting dex files from a group of
APKs and will then extract strings from all dex files from the same APK and save them
in the strings.txt file (in each APK directory). Once we have the strings for all APKs,
the bash script can be extended to search for a specific string in those sets of strings.
txt files.
This is another case study of how you can automate some part of the reverse engineering
process using a custom bash script.
134 Automating the Reverse Engineering Process
Summary
This chapter talked about some case studies and gave some examples when automating
the reverse engineering process that might be helpful. Remember that reverse engineering
can be extremely in depth depending on what you are trying to achieve with it. Finding
hardcoded strings, class names, and more are the simpler tasks done through reverse
engineering. However, there can be a lot of complex challenges for which an in-depth,
manual analysis and reverse engineering might be required.
Automating all such requirements is not always possible. But it is usually a good idea
to automate the part of your work that you will need to perform again and again – for
example, extracting strings and classes from mobile application binaries.
That's it for this chapter. In the next and final chapter of this book, we will summarize
what we have discussed, what more can be explored in order to enhance your knowledge,
and what should be the way ahead.
8
Conclusion
Software reverse engineering, in simple terms, is the art of taking apart an application or
software to understand its internal workings. The way a piece of software/code functions
depends upon several factors such as the programming language, the CPU architecture
it is built for, and programming practices. The process of reverse engineering as well as
analyzing the reverse engineered software, depends on the type of architecture it was
developed for, the type of programming language, and so on.
For mobile application reverse engineering, the initial phase requires an understanding of
an application package structure, how it is developed, the programming language, binary
format, the application package type, and so on. With this knowledge, we start the process
of reverse engineering; in the case of an Android app, we use JADX because we know that
Java code can be extracted from dex files. However, for an iOS app, we disassemble the
binary using a disassembler tool such as Ghidra.
To explore deeper inside the reverse engineered binary, we would need to have a better
understanding of assembly language, architecture, native libraries, other programming
languages, and so on.
This book focuses on teaching how to get started with reverse engineering iOS and
Android applications. But this is just the tip of the iceberg. So, let's discuss what more
there is to learn, and how to get more expertise in the field of Android and iOS application
reverse engineering.
136 Conclusion
The preceding list is provided to help you see the way ahead in learning more about
Android application reverse engineering. A lot of learning eventually comes with practice,
so as you work on reverse engineering different applications, you will eventually learn more
binary reverse engineering skills, how developers usually write the program flow, and so on.
Here are a few things to learn if you want to excel in the art of reverse engineering iOS
applications:
In more than 500+ black-box mobile application penetration tests that I have performed
so far, reverse engineering is the first step. It gives a great insight into how an application
is created, some basic details, and low-hanging vulnerabilities (if any) – for example,
hardcoded sensitive details in application code is a very common security issue discovered
during penetration tests. To find such a security issue, I have a list of common keywords
that can be searched in the extracted strings from the application binary. Often, reverse
engineering provides great insights into some hidden functionalities as well. Let's have
a look at one such case study.
138 Conclusion
Summary
Being able to reverse engineer an application and understand (as well as modify) its
internal working is a great superpower to have. We discussed how mobile applications are
developed, the basics of reverse engineering mobile applications, how reverse engineering
can be useful during security assessment, as well as malware analysis, and how to
automate some parts of reverse engineering.
The path to learning does not stop here, as this is just the start of what is possible with
reverse engineering. With this, I will end this book here, and I hope you all will have a lot
of fun reverse engineering mobile applications to find and fix security issues.
Index
A Dalvik executable files 7
lib 7
Address Space Layout Randomization
META-INF 7
(ASLR) 124
res 7
Advanced Encryption Standard (AES) 58
resources.arsc 7
Android application
application
code obfuscation 59-62
modifying 59
forward and reverse engineering
recompiling 59
processes 12
application binary
fundamentals 7-12
disassembling 71
Android application development 40-43
Ghidra, using 71-78
Android Application Package (APK)
Hopper Disassembler, using 78-81
about 42, 124, 136
application binary disassembled
static analysis 129, 130
reviewing, manually for
Android application reverse engineering
security issues 81-84
about 43-46, 136
assembly language 5
unreleased features, exposing in 138
auto analysis process 75
Android Debug Bridge (ADB) 40
automated static analysis, of
Android malware 59
mobile applications
Android Runtime (ART) 42
about 124
Android Studio
MobSF 125
download link 8
static scan, performing on
hello world application, creating 8-11
SecureStorage 129
APK, components
Automatic Reference Counting
AndroidManifest.xml 7
(ARC) 124
assets 7
140 Index
B disassembler 5
disassembling 5
baksmali 29, 48 Docker Engine, on Ubuntu
binary installation link 125
used, for extracting strings 69-71
binary format 65, 66
Binary Ninja
F
about 116 fastboot 40
reference link 116 forward and reverse engineering processes
Binary Ninja pricing in Android application 12
reference link 116 frida-ios-dump 95
bytecode 42 frida-ipa-dump 95
C G
code obfuscation Ghidra
about 59 about 31, 32, 115
in Android apps 59-62 using 71-78
codesign 85
commercial tools
about 115, 117
H
Binary Ninja 116 Hopper
Hopper 116 about 116
IDA 116 disassembled binary 6
JEB Decompiler 117 reference link 116
Hopper Disassembler
D using 78-81
Dalvik bytecodes 42
Dalvik Executable (DEX) 8
I
debugging 6 IDA
decompilation 5 about 116
decompiler 5 reference link 116
DEX files IDA Free 116
converting, to smali 48-52 IDA license types
Digital Rights Management (DRM) 66 reference link 116
disassembled binary IDA price list
in Hopper 6 reference link 116
Index 141
N Radare2 framework
about 115
Native Development Kit (NDK) 40 installing 96, 97
Non-Executable Stack (NX) 109 reference link 115
strings, extracting from
O binary with r2 100
strings, extracting from binary
Objective C with rabin2 99
versus Swift application 88, 90-92 symbols, extracting from
Objective C and Swift binary 100-106, 108, 109
difference between, from reverse using 97, 99
engineering perspective 92-95 Radare2 framework, tools
open source tools rabin2 97
about 115 radare2 97
Ghidra 115 rasm2 97
JADX 115 reference link 97
Radare2 framework 115 reverse apktool
operation code (opcode) 72 about 25, 26
otool 85 use case, example 26
reverse engineering
P debugging process 6
decompilation process 5
penetration test disassembling process 5
mobile application reverse engineering fundamentals 5, 6
tools, analyzing 118, 120 of Android applications 43-46
reverse engineering, used to find of iOS application 20
security issues 52-58 using, to find security issues during
Position Independent penetration test 52-58
Executables (PIE) 124 reverse engineering of mobile
ProGuard 60 applications tools
about 23, 24
R apktool 25, 26
Ghidra 31, 32
Radare 33 JADX - Dex-to-Java decompiler 27
Radare2 Mobexler virtual machine 34
reference link 95 Radare 33
smali/baksmali 29
strings 30
Index 143
Why subscribe?
• Spend less time learning and more time coding with practical eBooks and Videos
from over 4,000 industry professionals
• Improve your learning with Skill Plans built especially for you
• Get a free eBook or video every month
• Fully searchable for easy access to vital information
• Copy and paste, print, and bookmark content
Did you know that Packt offers eBook versions of every book published, with PDF and
ePub files available? You can upgrade to the eBook version at packt.com and as a print
book customer, you are entitled to a discount on the eBook copy. Get in touch with us at
customercare@packtpub.com for more details.
At www.packt.com, you can also read a collection of free technical articles, sign up
for a range of free newsletters, and receive exclusive discounts and offers on Packt books
and eBooks.
146 Other Books You May Enjoy